MOVEit Compromise Underscores the Importance of Continuous SaaS Security Monitoring

By John Filitz, Group Product Marketing Manager, AppOmni

As more information becomes available, the exploit of a critical vulnerability of managed file transfer software, MOVEit software, is seen as one of the more significant cyber breaches in recent times. Threat actors belonging to the CL0P ransomware group have compromised customers that utilize MOVEit. It also appears that MOVEit itself has been compromised by the very same exploit, posing questions over the extent of breach exposure risk among its customer base.

Over 100 organizations utilizing the MOVEit software have had data compromised, according to Mandiant. And more affected companies continue to come forward. Some of the impacted organizations include the U.S. Department of Energy, the U.S. Office of Personnel Management, the BBC, and British Airways. The largest U.S. pension fund, Calpers, and insurer Genworth, disclosed on June 23rd, 2023 that they’ve been impacted by the exploit, with member and customer data being compromised. Most recently, Siemens Energy and Schneider Electric disclosed on June 28th, 2023 that they too have had data stolen as a consequence of the MOVEit exploit.

What’s the Connection with SaaS Security?

One area that may remain a blind spot for organizations is how or where MOVEit may be connected to SaaS applications in their environment. SaaS security platforms should be able to monitor for SaaS-to-SaaS connections where plugins or applications may be connected into a core SaaS platform such as Salesforce or Microsoft 365.

In the wake of the MOVEit related data breaches, AppOmni has discovered a number of instances where MOVEit servers or MOVEit cloud have been connected to Microsoft 365 environments and other SaaS services. These connections could potentially result in a compromise of data. In some customer environments, AppOmni has identified the connections from SaaS environments to a MOVEit server that was unpatched.

The fact that these infrastructure components were unpatched, vulnerable to an active exploit, and “invisibly” connected to a core SaaS platform shows how the lack of visibility and continuous monitoring for SaaS can expose an organization to active cyber attacks.

In response to the MOVEit vulnerability, AppOmni has also released a SaaS Security Posture Management Insight that will flag any suspicious MOVEit-related activity within your SaaS app environments.

The SaaS Security Imperative

Cyber threats such as the MOVEit vulnerability underscore the need for organizations to adopt proactive cybersecurity postures. When it comes to protecting your SaaS environments, it’s imperative that organizations leverage a dedicated SaaS Security Posture Management solution such as AppOmni.

AppOmni provides deep security threat observability across the SaaS estate, including SaaS-to-SaaS connections. With its actionable insights, enabling guided remediation to secure your organization’s SaaS apps and associated data it is fast becoming an essential solution in the security stack.

AppOmni was founded to address this SaaS security risk. See why leading global enterprises choose AppOmni as their SaaS security solution of choice. Schedule a demo today.

Related Information to the MOVEit Breach

This zero-day vulnerability — assigned CVE-2023-34362 — was first exploited on May 27th, 2023 by way of webshell deployment that resulted in data theft, according to Mandiant. Some reports indicate that this zero-day was discovered by threat actors over a year ago.

Although no ransom demands were initially received after the May 27th compromise, Russian CL0P ransomware group did issue a statement on the CL0P^_LEAKS website, claiming responsibility for the compromise. In their statement, CL0P threatened to post stolen data from affected companies if they did not pay the extortion fee, with early indications that extortion attempts are starting to take place.

Progress Software, the parent company of MOVEit, quickly issued a patch and communication directives to address this vulnerability. The first communique was issued on May 31st, followed by subsequent revisions as more information became available.

Some of the key remediation steps outlined by Progress Software include:

  • Disabling all HTTP and HTTPS traffic to your MOVEit environment until the patch is applied
  • Reviewing, deleting, and resetting all MOVEit related instances and user access
  • Applying the patch and verifying that no indicators of compromise are present. 

Among other key steps, Progress Software also recommended adopting continuous monitoring. Click here for Progress’ detailed remediation guide.

Related Resources